Page 1 of 1

Homebridge hacked?

PostPosted: Wed Aug 23, 2017 7:07 am
by DVDDave
I've been using Homebridge successfully for quite a while now and really like it (thanks!). Lately however I've noticed some activity that I did not initiate. At first I thought I accidentally controlled some devices but the latest round was clearly not from me. All the logs show the controls being initiated from 127.0.0.1 and look exactly like they do when I use Siri or the Home app.

I've disabled Homebridge for now but need to find a more permanent fix. Any ideas on how I can get more info about where the actions were initiated; i.e. An IP address? Which password, if any, was likely compromised- AppleID or Indigo? I'm trying to learn more about how this actually works to understand any vulnerabilities and any help would be much appreciated.

Thanks!

--Dave

Re: Homebridge hacked?

PostPosted: Wed Aug 23, 2017 7:53 am
by webdeck
You can find the homebridge log here: ~/Library/Logs/homebridge.log

That will have information on what homebridge has been seeing/doing.

Re: Homebridge hacked?

PostPosted: Wed Aug 23, 2017 8:07 am
by DVDDave
webdeck wrote:
You can find the homebridge log here: ~/Library/Logs/homebridge.log

That will have information on what homebridge has been seeing/doing.

Yes, I looked at that. Unfortunately it just shows the accesses as coming from 127.0.0.1. Thinking more about it, the Homebridge part is probably not secured but rather relies on the security of HomeKit through the Apple TV. I don't know if there is a way to get to a log of HomeKit accesses though.

Re: Homebridge hacked?

PostPosted: Wed Aug 23, 2017 8:09 am
by Different Computers
Any chance these are HomeKit automations making calls to HOmeBridge?

Re: Homebridge hacked?

PostPosted: Wed Aug 23, 2017 8:11 am
by DVDDave
Different Computers wrote:
Any chance these are HomeKit automations making calls to HOmeBridge?

Nope. Don't have any automations and they are for various unrelated devices like someone was just pressing random buttons.

Re: Homebridge hacked?

PostPosted: Wed Aug 23, 2017 8:21 am
by webdeck
Can you post an example from the homebridge log?

Re: Homebridge hacked?

PostPosted: Wed Aug 23, 2017 8:38 am
by DVDDave
webdeck wrote:
Can you post an example from the homebridge log?

Sure, but it's hard to copy right now since I'm away from home and accessing the console over VNC from my iPad. For now, the access log shows a setonstate, updatestatus, and Indigo request to 127.0.0.1 for each attempt to control a device. It's exactly the same as if I initiated the control.